F-Droid and the Janus Vulnerability

The
Janus vulnerability
has sprung forth unto the Android world, and we have sprung into
action to keep it far away.

First off, f-droid.org, guardianproject.info/fdroid and
apt.izzysoft.de/fdroid were scanned for possible Janus exploits and
none were found. f-droid.org’s greatest protection against malware
is the requirement that everything must be built from source, humans
review all apps that are added, and a source tarball for each build is
stored forever. Exploit writers do not want to give away the source
code to their malware nor have their activities permanently logged in
git, so this process keeps them away. No malware has been found in
f-droid.org in its 7 years of operation.

F-Droid is also an open ecosystem, that means many people are getting
apps from other sources. For that reason, we are working to add Janus
detection to the F-Droid Android client app. When an APK with a Janus
exploit is found, it will prompt the user to uninstall it in the
“Updates” tab. If an APK with a Janus exploit is downloaded from a
repo that has allowed it in, it will be blocked from being installed.

There is also some random good news: it turns out that none of the
about 10 Janus examples we have can pass fdroid update. Most of
them failed to verify when fdroid update calls aapt dump badging.
The one file that passed those tests was the publicly released
Janus demo APK.
But it had strange dates like 2042-14-03 00:62:15 in the ZIP
entries, probably because of the tricks needed to assemble this
DEX+ZIP file. This triggered a crash in fdroid update, when parsing
the date of AndroidManifest.xml. Python complains that there is no
14th month. This crash prevents the APK from being added to the
repo. We have also added an
explicit block
for APKs trying to exploit Janus.

Also, apksigner is better at verifying APK signatures, and many
Janus examples failed. If apksigner is installed, then fdroid
build uses it. If an APK is signed with a v2 APK Signature, then
things like Janus exploits are not possible. So if you are working
with APKs that you have not built from source, be sure to install
apksigner.

So we can safely say that it would be difficult to inadvertently put a
Janus exploit in an F-Droid repo. And with the new protections in the
Android client app, a repo cannot force the user to install one.